Hardening powder
Hi folks,
I'm adopting and repacking Powder as per bug #691835. In addition to
modernising the package I'm attempt to harden it. The package uses a
custom shell script to build which I fork out of the rules file. No
matter what I do though I can't fully harden it with the best I can get
being this;
./powder:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
PIE and Immediate binding I just can't seem to do. During compilation I
can see the following in the final executable so it looks like the
correct args are being passed.
g++ -static-libgcc -L. -o powder linuxmain.o ../sdl/hamfake.o
../../action.o ../../assert.o ../../ai.o ../../artifact.o ../../bmp.o
../../build.o ../../buf.o ../../control.o ../../creature.o
../../dpdf_table.o ../../encyc_support.o ../../gfxengine.o
../../grammar.o ../../hiscore.o ../../input.o ../../intrinsic.o
../../item.o ../../map.o ../../mobref.o ../../msg.o ../../name.o
../../piety.o ../../rand.o ../../signpost.o ../../smokestack.o
../../speed.o ../../sramstream.o ../../stylus.o ../../victory.o
../../encyclopedia.o ../../glbdef.o ../../credits.o ../../license.o
../../gfx/all_bitmaps.o ../../rooms/allrooms.o `sdl-config --libs` -g
-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro
But!
powder-117$ readelf -d powder | grep BIND
mongrol@square:~/dev/debian/powder/powder-117$
powder-117$ file powder
powder: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux),
dynamically linked (uses shared libs), for GNU/Linux 2.6.26,
BuildID[sha1]=0x25f4efae0013b9cc33df06718f7f262f160eb887, not stripped
Here's my rules file;
#!/usr/bin/make -f
# Uncomment this to turn on verbose mode.
export DH_VERBOSE=1
CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS) $(CPPFLAGS)
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
%:
dh $@
override_dh_auto_build:
dh_testdir
echo "export LDFLAGS="$LDFLAGS /
echo "export CXXFLAGS="$CXXFLAGS /
bash -ex ./buildall.sh
clean:
dh_testdir
dh_testroot
rm -f *.o */*.o */*/*.o rooms/*.cpp rooms/allrooms.h gfx/*.c gfx/*/*.c
rm -f license.cpp glbdef.cpp glbdef.h encyclopedia.cpp encyclopedia.h
rm -f credits.cpp gfx/akoi3x/sprite16_3x.bmp
rm -f powder port/linux/powder support/bmp2c/bmp2c
support/encyclopedia2c/encyclopedia2c support/enummaker/enummaker
support/map2c/map2c support/tile2c/tile2c support/txt2c/txt2c
port/linux/libstdc++.a
dh_clean
Reply to: